ICS

A new study of 17 malware frameworks shows threat actors always use USB drives to sneak malware into air-gapped environments and then steal data from there.

A new ESET study of 17 malware frameworks that threat actors have used over the past decade to target air-gapped systems showed every one of them used a USB drive to introduce malware into the environment and extract data from there. The security vendor found that the best defense for organizations against attacks on air-gapped systems is to restrict USB use as much as possible and to monitor them closely in situations where the devices need to be used.

https://www.eset.com/ca/about/newsroom/press-releases/eset-research-analyzes-malicious-frameworks-targeting-air-gapped-networks-dissects-15-years-of-nati-2/

Read more

Hello All. Researchers as Claroty, well kn0wn OT passive monitoring vendor have disclosed multiple critical vulnerabilities in vendor implementations of the Open Platform Communications (OPC) network protocol.

What is the OPC Protocol Anyway?

OPC communicates information from a data source such as a server to any client application in a standard way without requiring the application to have any specific knowledge about the data source such as its communication protocols. When diverse OT systems are required to communicate with each other a separate protocol or method is required for each device. As a solution the OPC (linking and correlating objects in process control) standard was developed.

OPC is a communication standard known as the OLE / COM (object Linking & Embedding / component object model) standard, based on Microsoft’s object-oriented technology aimed at integration between different applications, to make the connection between different units in automation systems fast and reliable.

Claroty’s Findings

The vulnerabilities affect the following vendors and products: Softing’s Industrial Automation OPC library, Kepware PTC’s ThingWorx Kepware Edge and KEPServerEX OPC servers, and Matrikon’s Matrikon OPC Tunneller.

These three products are integrated into many other vendors’ offerings as a third-party component. For example, Softing’s OPC library is being used as a third-party OPC protocol stack by some vendors, and the KEPServerEX OPC Server is being used as an OEM shelf solution by other well-known vendors, including Rockwell Automation and GE, both of which have published advisories informing their users of these security issues. We believe these vulnerabilities may affect multiple other products sold by vendors across all ICS vertical markets. Here is a list of the vulnerability CVEs:

Softing Industrial Automation GmbH

  • CVE-2020-14524: Heap-Based Buffer Overflow (CWE-122)
  • CVE-2020-14522: Uncontrolled Resource Consumption (CWE-400)

Kepware PTC

  • CVE-2020-27265: Stack-based buffer overflow (CWE-121)
  • CVE-2020-27263: Heap-based buffer overflow (CWE-122)
  • CVE-2020-27267: Use-after-free (CWE-416)

Matrikon Honeywell OPC DA Tunneler

  • CVE-2020-27297: Heap overflow due to integer overflow (CWE-122)
  • CVE-2020-27299: Information leak due to OOB read (CWE-125)
  • CVE-2020-27274: Improper check for unusual or exceptional conditions (CWE-754)
  • CVE-2020-27295: Uncontrolled resource consumption (CWE-400)

Claroty are urging users of these products to upgrade to the latest version to mitigate these vulnerabilities.

Read more